You are looking at documentation for an older release. Not what you want? See the current release documentation.
To manipulate the response headers, the Apache module mod_headers must be activated and the following lines added on your configuration :
<VirtualHost *:80> ... # XSS Protection Header always append X-Frame-Options SAMEORIGIN Header always append X-XSS-Protection 1 Header always append Content-Security-Policy "frame-ancestors 'self' ... </VirtualHost>